ZyXel USG110 routing

JanSery
JanSery Posts: 3
Friend Collector First Comment
edited April 2021 in Security
Hello folks, please can anybody help me with one issue?
I have USG110 with 2 internet connections set up as trunk with WAN 1 active and WAN2 passive Least Load first and Index on outbound.
WAN1 is used for whole internet connection and WAN2 for IPSec VPN connection only. I have one routing rule which route trafic for VPN tunnel to this trunk, but VPN tunnel is connected via WAN1 but should connect via WAN2. Can I force USG110 to connect via WAN2 first?
IPSec VPN tunnel is connected to fortigate which is managed by cloud provider. On my side it is set up as nailed up connection.
Thank you very much.

All Replies

  • AWUSupport
    AWUSupport Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector
    We have an identical setup to yours and forced IPSec VPN to use wan2 via the VPN Gateway settings that we created for that VPN connection. See screenshot below:



    If you need any additional details please feel free to ask.
  • JanSery
    JanSery Posts: 3
    Friend Collector First Comment
    We have an identical setup to yours and forced IPSec VPN to use wan2 via the VPN Gateway settings that we created for that VPN connection. See screenshot below:



    If you need any additional details please feel free to ask.
    Ok but it doesnt solve situation when I need fallback and connectivity backup. I need to use WAN2 and in case it is down force VPN GW switch to WAN1. Thanks.
  • AWUSupport
    AWUSupport Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Apologies JanSery, reread your initial post a few times now and can see you are looking to failover of VPN back to wan1 if wan2 fails. We never went this far to make it automatically happen, and just manually changed VPN back to wan1 the very odd time we lost wan2.

    Hope someone here has an automatic failback method you can use.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,431  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Welcome to Zyxel Community.  :)
    The link below is two Wan Internet VPN failover scenario configuration.
    You can follow this guide to set up VPN failover.
    GRE over IPSec VPN Tunnel –VPN Failover
  • JanSery
    JanSery Posts: 3
    Friend Collector First Comment
    Welcome to Zyxel Community.  :)
    The link below is two Wan Internet VPN failover scenario configuration.
    You can follow this guide to set up VPN failover.
    GRE over IPSec VPN Tunnel –VPN Failover
    Hello, 
    thank you for guide, but I am not sure if I can use it. I have no possibility to control or manage second side of VPN tunnel. I can manage only my side which is zyxel with two WANS and one VPN tunnel. There is only one WAN on second side and only one LAN pool.
    Thank you.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,431  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    That’s doable VPN failover scenario if both site are Zyxel device.
    Assume Site A is two wan site, and Site B is two wan Site.
    Site A VPN phase 1 setting, “My address” must set to 0.0.0.0, which means allow connection from wan 1 or wan 2, and peer gateway must set to dynamic address.
    As for site B, it supposed to have setting about primary/secondary, and something like “falling back when possible”
    Please note that, the scenario connection control is on peer site with one WAN.
    You can check if the cloud provider have setting something like these.

    Site A VPN phase 1 setting


    Site B VPN phase 1 setting

Security Highlight